Securing Access to Management Functions
December 2000 3 - 5
These commands configure ACL 12, then apply the ACL as the access list for Web management access. The
device denies Web management access from the IP addresses listed in ACL 12 and permits Web management
access from all other IP addresses. Without the last ACL entry for permitting all packets, this ACL would deny
Web management access from all IP addresses.
NOTE: In this example, the command web access-group 10 could have been used to apply the ACL configured
in the example for Telnet access. You can use the same ACL multiple times.
Using ACLs to Restrict SNMP Access
To restrict SNMP access to the device using ACLs, enter commands such as the following:
NOTE: The syntax for using ACLs for SNMP access is different from the syntax for controlling Telnet and Web
management access using ACLs.
BigIron(config)# access-list 25 deny host 209.157.22.98 log
BigIron(config)# access-list 25 deny 209.157.23.0 0.0.0.255 log
BigIron(config)# access-list 25 deny 209.157.24.0 0.0.0.255 log
BigIron(config)# access-list 30 deny 209.157.25.0 0.0.0.255 log
BigIron(config)# access-list 30 deny 209.157.26.0/24 log
BigIron(config)# access-list 30 permit any
BigIron(config)# snmp-server community public ro 25
BigIron(config)# snmp-server community private rw 30
BigIron(config)# write memory
Syntax: snmp-server community <string> ro | rw <num>
The <string> parameter specifies the SNMP community string the user must enter to gain SNMP access.
The ro parameter indicates that the community string is for read-only (“get”) access. The rw parameter indicates
the community string is for read-write (“set”) access.
The <num> parameter specifies the number of a standard ACL and must be from 1 – 99.
These commands configure ACLs 25 and 30, then apply the ACLs to community strings.
ACL 25 is used to control read-only access using the “public” community string. ACL 30 is used to control read-
write access using the “private” community string.
Restricting Remote Access to the Device to Specific IP Addresses
By default, a Foundry device does not control remote management access based on the IP address of the
managing device. You can restrict remote management access to a single IP address for the following access
methods:
• Telnet access
• Web management access
• SNMP access
In addition, if you want to restrict all three access methods to the same IP address, you can do so using a single
command.
The following examples show the CLI commands for restricting remote access. You can specify only one IP
address with each command. However, you can enter each command ten times to specify up to ten IP addresses.
NOTE: You cannot restrict remote management access using the Web management interface.
Restricting Telnet Access to a Specific IP Address
To allow Telnet access to the Foundry device only to the host with IP address 209.157.22.39, enter the following
command:
To Next Page
Loading...
Need help?
General
